Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

b2b74bbcb6...bf.exe

windows7-x64

10

b2b74bbcb6...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2b74bbcb632baa881c1b1bf3101668c7180d5f5fddc05cc2db01fc225c81ebf.exe

  • Size

    769KB

  • MD5

    f0e1484d691b12431fba91c0e2496302

  • SHA1

    94aefda8547526f272bf61505533ad45833c9953

  • SHA256

    b2b74bbcb632baa881c1b1bf3101668c7180d5f5fddc05cc2db01fc225c81ebf

  • SHA512

    2d75c952a9831c202e4c2e9e3d8afdfd9624566ee149e508a161ef613832938c4b315505be0c4f458b16c37370ea4039f3a87081feb295e793afa0650af13d58

  • SSDEEP

    12288:TBzLY3O3AibXVa37V5kNlyXo8HHUYbQEZyKKa1Lb/Zr+aXbKuGduiTsJXrMxh3HN:THXwjRO8d44oep

Score
10/10
cybergateex4stealertrojan

Malware Config

Extracted

Family

cybergate

Version

v1.10.4

Botnet

EX4

C2

trinity.serveftp.com:4200

Mutex

2X3B3ON7QEJ84M

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    install

  • install_file

    server.exe

  • install_flag

    true

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    eggnet

  • regkey_hkcu

    HKCU

  • regkey_hklm

    HKLM

Signatures

  • CyberGate, Rebhip

    CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    trojanstealercybergate
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2b74bbcb632baa881c1b1bf3101668c7180d5f5fddc05cc2db01fc225c81ebf.exe
    "C:\Users\Admin\AppData\Local\Temp\b2b74bbcb632baa881c1b1bf3101668c7180d5f5fddc05cc2db01fc225c81ebf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\notepad.exe
      C:\Windows\notepad.exe
      2⤵
        PID:2020
      • C:\Windows\notepad.exe
        C:\Windows\notepad.exe
        2⤵
          PID:292

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/292-55-0x0000000000400000-0x000000000044B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/292-56-0x0000000000400000-0x000000000044B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/292-58-0x0000000000400000-0x000000000044B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/292-60-0x0000000000400000-0x000000000044B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/292-59-0x0000000000400000-0x000000000044B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/292-61-0x0000000000400000-0x000000000044B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/292-62-0x0000000000400000-0x000000000044B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/292-64-0x0000000000400000-0x000000000044B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/292-66-0x000007FEFC071000-0x000007FEFC073000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1740-54-0x0000000076531000-0x0000000076533000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1740-67-0x0000000074BA0000-0x000000007514B000-memory.dmp

        Filesize

        5.7MB

        Download